Preface: There's nothing nefarious here, nor is the information contained herein particularly helpful to thieves or the dishonest. A thief would just cut the dang thing open and be done with it.

So I bought a fire safe to protect some documents that I wanted protected in the unlikely event of a house fire. When I got the safe, I promptly emailed myself the manufacturer's code, set up an easily remembered user code, and stored the manual with the manufacturer's code in a "safe place."

Fast forward two years. I need to get to one of the documents in the safe. I can't seem to remember the user code. No problem, I say, I'll just look up the manufacturer's code in my email. So, what keywords did I use to make it searchable? Apparently not safe, combo, password, combination, or any combination or related word thereof. Ok, no problem, I'll just go get my manual from... umm, nope, not in my drawer with user manuals, nor in my filing system. WTF. The combos are both lost for good.

So I start considering my options. I could send a notarized letter to the safe company, but where's the fun in that? I could open it destructively, but I didn't really want to do that either. The lock is an electronic combination with a five digit password, so brute forcing seems plausible, but there's a two minute lockout on 3 wrong combinations, taking the brute force time to 140 days. That won't work. Unless...

I open up the battery compartment, enter three wrong combos, it goes into lockout mode, I remove the battery for a couple seconds and put it back. Yep, it "forgot" it was in lockout mode, and I can now enter 3 more passwords. Only 99,994 more to go. I estimate the safe could be opened in less than 6 days using brute force. I'm not in a real hurry for the documents, don't want to break the safe, and love the challenge of getting my safecracking on, so I commit to cracking this sucker via brute force.

At first I considered a mechanical dialer that would punch the buttons for me, but the mechanics of doing that with acceptable speed seemed somewhat difficult - not an afternoon's kind of project.

However, by cutting away a couple globs of hot glue with a blade, i could access the keypad contacts directly:

Conveniently, there are access holes for connecting wires to the contact array.

So I start sketching up where I need jumper wires and placing them.

Then it was a simple matter of using some relay boards I had laying around to start dialing the keypad using an arduino I also had laying around. I used a couple of photosensors to read the LED status indicators so that I could know if the combo failed or succeeded. Finally, I used an additional relay to power cycle the keypad after 3 failed combinations to defeat the lockout feature.

With a little programming work, I had an automated dialer that should (!) stop when the correct combination was found. By logging each attempt on a laptop and writing a couple of little helper scripts, I had hourly status updates being delivered via email. It was a bit of a programmer's nightmare in that I could not test the code directly for success, and didn't have the exact details of what the success scenario looked like, for example, how long until the green LED would light, how brightly it would light, or if it would be solid or flashing. Some youtubing failed to turn up these details as well. So I did my best to make it robust to these details and prayed.

And prayed, and prayed, and prayed... for five days, the robot dialed, and failed, and dialed again. When over 2/3 of the keyspace had been searched and no combination found, I started to doubt the success of the project.

However, this morning at 7:09 am, one minute before my alarm usually goes off (weird coincidence), the phone on my nightstand buzzed with an email alert. It was the safecracking robot calling, saying it had found the correct code. Somewhat scared of a false positive, I showered first, then headed into the room and removed the heavy blanket which I'd been using to muffle the incessant beeping. I entered the code sent via email and lo and behold, it opened. You can see a pen propping open the door in the lower left corner.

I love it when a plan comes together. With a little hot glue the keypad will go right back together and the safe will be like new. And this time my email with the combination will not be titled "Remember this number". *facepalm*

Now, as a wisecracking friend said "Dude, you can totally rob a bank now, at least when it's closed for a week". And when they are using cheap Walmart fire safes...

UAirLtd wrote:This is hacking at its finest: no frills, gets the job done. Also really well written. My hat off to you, sir.

Thanks! The delayed gratification of this project added an element of suspense which really made it fun when it hit paydirt and the safe opened. It had to be truly autonomous as there was no way I could monitor its progress even after maximizing the rate at which codes could be entered and minimizing the downtime of the power cycle. I had all of that optimized down to 10 ms. That was all done through trial and error.

I got the keypad put back together this evening, and the safe is like new again.

By the way, what do you think I found inside the safe? That's right, the manual with the printed code. *facepalm again*

I had a similar experience when I started my last job. Locked tape safe. We had the key, but not the combination. That safe didn't lock out the controls after bad tries though. I ran the math on the combinations and found that it would take a guy, doing nothing but it, about 3 full business days to find the combination.

I've gotten some requests for the arduino sketch I used in this project, so I'm posting it here.

It isn't pretty, but it got the job done. If you want to try this on your own safe, you're going to have to do some prep work: setting up the pins to your relays, calibrating the thresholds for reading the LEDs from your photocells, and you'll probably want to experiment with the timings to get it to go as fast as you can on your system.

I used CoolTermWin to log the serial output to a file so I could monitor progress over the days it took to complete.

Excellent work, love to see such a project getting together. Unfortunately this doesn't go around the limited trial systems (3 wrong keys and you're out) nor the long keys (that require huge amounts of combinations and so time). Plenty of ideas for v2

nor the long keys (that require huge amounts of combinations and so time). Plenty of ideas for v2

Right, brute force probably isn't the way on longer keys.

Lol, I like this. I read about a new spray that robbers use. They spray some film over the keypad and then can come back later and peel it off and can tell what buttons have been pressed by smudge prints.

Or another way is to put a mini camera facing the keypad. Your way is much more fun though thanks for sharing your hack.